我正在编写一个应用程序,我打印TCP序列和确认号码。 我在同一个盒子上运行tcpdump并且数字不匹配。这是我的 代码,所有标题和结构都来自sniffex.c
void
got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet)
{
static int count = 1; /* packet counter */
/* declare pointers to packet headers */
const struct sniff_ethernet *ethernet; /* The ethernet header [1] */
const struct sniff_ip *ip; /* The IP header */
const struct sniff_tcp *tcp; /* The TCP header */
int size_ip;
int size_tcp;
int size_payload;
count++;
/* define ethernet header */
ethernet = (struct sniff_ethernet*)(packet);
/* define/compute ip header offset */
ip = (struct sniff_ip*)(packet + SIZE_ETHERNET);
size_ip = IP_HL(ip)*4;
if (size_ip < 20) {
printf(" * Invalid IP header length: %u bytes\n", size_ip);
return;
}
/* determine protocol */
switch(ip->ip_p) {
case IPPROTO_TCP:
printf(" Protocol: TCP\n");
break;
case IPPROTO_UDP:
printf(" Protocol: UDP\n");
return;
case IPPROTO_ICMP:
printf(" Protocol: ICMP\n");
return;
case IPPROTO_IP:
printf(" Protocol: IP\n");
return;
default:
printf(" Protocol: unknown\n");
return;
}
/* define/compute tcp header offset */
tcp = (struct sniff_tcp*)(packet + SIZE_ETHERNET + size_ip);
size_tcp = TH_OFF(tcp)*4;
if (size_tcp < 20) {
printf(" * Invalid TCP header length: %u bytes\n", size_tcp);
return;
}
std::cout << "Packet# " << count << " S " << tcp->th_seq << " A "
<< tcp->th_ack << "\n";
}
这打印:
Packet# 2 S 1063936835 A 1371648504
Packet# 3 S 1080714051 A 1975693816
Packet# 4 S 1080714051 A 1975693816
Packet# 5 S 141321027 A 2730734072
Packet# 6 S 2960220995 A 2730734072
Packet# 7 S 1484219203 A 2730734072
Packet# 8 S 8217411 A 2730734072
Packet# 9 S 2827117379 A 2730734072
Packet# 10 S 1351115587 A 2730734072
我运行tcpdump将pcap文件记录为:
# sudo tcpdump -n -i eth0 -S -n -w cache.cap 'tcp and src port 80'
然后用
检查# sudo tcpdump -S -ttttnnr cache.cap
reading from file cache.cap, link-type EN10MB (Ethernet)
2012-09-30 18:52:58.110398 IP 192.168.122.11.80 > 192.168.122.22.7001:
Flags [S.], seq 1130588735, ack 4172398929, win 14480, options [mss
1460,sackOK,TS val 71597136 ecr 71595534,nop,wscale 3], length 0
2012-09-30 18:52:58.110925 IP 192.168.122.11.80 > 192.168.122.22.7001:
Flags [.], ack 4172399221, win 1944, options [nop,nop,TS val 71597136
ecr 71595534], length 0
2012-09-30 18:52:58.116146 IP 192.168.122.11.80 > 192.168.122.22.7001:
Flags [P.], seq 1130588736:1130589192, ack 4172399221, win 1944,
options [nop,nop,TS val 71597137 ecr 71595534], length 456
2012-09-30 18:52:58.173321 IP 192.168.122.11.80 > 192.168.122.22.7001:
Flags [.], seq 1130589192:1130590640, ack 4172399522, win 2078,
options [nop,nop,TS val 71597152 ecr 71595549], length 1448
2012-09-30 18:52:58.173388 IP 192.168.122.11.80 > 192.168.122.22.7001:
Flags [.], seq 1130590640:1130592088, ack 4172399522, win 2078,
options [nop,nop,TS val 71597152 ecr 71595549], length 1448
2012-09-30 18:52:58.173517 IP 192.168.122.11.80 > 192.168.122.22.7001:
Flags [.], seq 1130592088:1130593536, ack 4172399522, win 2078,
options [nop,nop,TS val 71597152 ecr 71595549], length 1448
2012-09-30 18:52:58.173583 IP 192.168.122.11.80 > 192.168.122.22.7001:
Flags [.], seq 1130593536:1130594984, ack 4172399522, win 2078,
options [nop,nop,TS val 71597152 ecr 71595549], length 1448
2012-09-30 18:52:58.173620 IP 192.168.122.11.80 > 192.168.122.22.7001:
Flags [.], seq 1130594984:1130596432, ack 4172399522, win 2078,
options [nop,nop,TS val 71597152 ecr 71595549], length 1448
2012-09-30 18:52:58.173656 IP 192.168.122.11.80 > 192.168.122.22.7001:
Flags [.], seq 1130596432:1130597880, ack 4172399522, win 2078,
options [nop,nop,TS val 71597152 ecr 71595549], length 1448
序列和确认号码不匹配。我在这里缺少什么?
在我的应用程序中,过滤器是'tcp和src端口80'
修改 我改变了
std::cout << "Packet# " << count << " S " << tcp->th_seq << " A "
<< tcp->th_ack << "\n";
到
std::cout << "Packet# " << count << " S " << ntohl(tcp->th_seq) << " A "
<< ntohl(tcp->th_ack) << "\n";
现在输出
Packet# 2 S 1384921720 A 3111642711
Packet# 3 S 1384921721 A 3111643003
Packet# 4 S 1384921721 A 3111643003
Packet# 5 S 1384922177 A 3111643304
Packet# 6 S 1384923625 A 3111643304
Packet# 7 S 1384925073 A 3111643304
Packet# 8 S 1384926521 A 3111643304
Packet# 9 S 1384927969 A 3111643304
Packet# 10 S 1384929417 A 3111643304
仍然不匹配
答案 0 :(得分:0)
你只记录了一半的流量,即一个方向。 ACK是针对您未录制的部分。尝试使用包含目标端口80的过滤器。